The importance of resilience in the Canadian cyber insurance market

All’s well that responds well

By Daniel Shum, Nick Galletto, Megan Brister, and Aneesa Ruffudeen
Insurers hold a great deal of private information about their clients. Because of this, they’re at risk of attack from cyber criminals who aren’t necessarily even interested in the insurers themselves, but seeking to profit from selling personal information or intellectual property. This is true of other kinds of organizations, as well, but insurers offering “cyber insurance”—a practice still just taking root in Canada—are doubly obliged to protect themselves. Cyber insurance provides access to data breach coaches and other resources, which puts the onus on cyber insurers to understand the importance of cyber risk management better than other industries and similarly to be really good at it. Call this irony, or simply the cost of doing business, but it’s true. And even if a cyber insurance provider does suffer an attack, how it responds will speak volumes about its fundamental preparedness and reliability—and its cyber insurance offering.

But let’s back up a minute.

When we talk about cybersecurity, three words in particular are most often on our lips: secure, vigilant, and resilient. Organizations looking to weather the constantly pounding storm of cyber threats in this day and age have to be all three.

Secure insurers are those that have established appropriate controls to protect against known and emerging threats, and that are compliant with standards and regulations. This includes ensuring their processes to implement “InsurTech” innovations follow a security-first mindset and implementing controls to govern the exchange of information with third parties.

If they’re vigilant, they understand how things like driverless cars and virtual payments impact their threat landscape and they’ve established situational risk and threat awareness to detect violations and anomalies.

And, finally, resilient insurers are able to deal with critical incidents (such as an attempt to infiltrate personal health records from their network), quickly return to normal operations, and repair any damage done to the business or the brand.

These are the principles of a strong cyber risk management program, and they apply no matter the business. That’s both good news and bad for insurers, though, because while insurance products support the industry’s growth, a successful attack on a cyber insurance provider specifically—especially one that isn’t resilient—would undermine practically, well, everything.

All’s well that responds well

At the most strategic level, responding well to an attack—in other words, being resilient—involves striking a balance between recovering or enhancing capabilities and restoring confidence among a broad spectrum of stakeholders.

Restoring fundamental business and operational capabilities is obviously a first-order priority in the case of disruptive or destructive attacks. Capabilities specific to cyber risk, however, also need to be enhanced to more effectively secure the environment, provide better visibility into ongoing threats, and reduce the impact of future attacks. This is because rebuilding confidence without alignment to a “capability roadmap” may lead to false confidence, increasing potential exposure and risk during the remediation process.

In this sense, then, resilience is about removing all doubt that the organization’s digital assets, like personal health records or payment information, are safe and that the organization is prepared for a repeat incident—should one occur.

Which it almost certainly will.

So, how and where to focus? Every incident response has a lifecycle—which ideally begins even before an incident occurs and features both proactive and responsive capabilities.

Proactive capabilities include:

Governance and strategy, which encompasses the design and development of an incident response program that includes not just the IT team, but a clear integration model with legal, communications, talent teams, and business operations

Especially for insurance providers, this includes development teams working to innovate products and services so they are more digitally accessible

Architecture and operations, which involves the design and implementation of a resilient IT infrastructure, architecture patterns that embed security in your solutions, and processes that ensure operational teams are making risk-based decisions

With InsurTech and peer-to-peer payments on the rise, all insurers today need to consider implementing an agile development process where security is at the forefront

Identification, which is about the persistent and ongoing tracking of information assets, system accesses, and critical business processes and functions most in need of protection against attack

Playbooks, which provide a “how-to” guide for threat scenarios relevant to insurers, including privacy breaches, ransomware, spyware, and malware

Simulations and war gaming, to enable insurers to rehearse their incident response capabilities in a simulated or near-real scenario and learn from lessons in a “safe” environment

Midway between being proactive and responsive comes triage. Exactly like a hospital’s emergency room, triage involves gathering information on multiple incidents, correlating and prioritizing those incidents, and identifying steps for an appropriate response. Insurance providers need to make a decision here. Do you take steps to contain the threat immediately or do you watch and learn? Conducting a compromise assessment can help identify if your environment has already been compromised by advanced threat actors, like a malicious insider sharing trade secrets on your underwriting policies.

As the lifecycle completes with responsiveness, capabilities are geared to:

The response itself, which should focus on containment activities that prevent further impact to the organization and eradication to eliminate the threat

Recovery, in which the business resumes its operations and restrictive controls are removed

Sustaining the effort, which concentrates on a long-term risk mitigation plan to prevent similar attacks and learning lessons from this one

Cyber self-insurance

All of this will be for naught, however, if the organization’s leadership is not engaged. During an incident, the obvious is often overlooked or mismanaged, and cyber incidents can quickly become critical business issues. For this reason, an executive-level incident response team should be driving decisions and leading the prioritization of enhancements and restoration, both in terms of capabilities and confidence.

There will be challenges. You have to tell an accurate and consistent story across a range of communications to multiple audiences, including what actually happened, who was affected, what you plan to do about it, and what progress you are making. Much easier said than done for a cyber insurance provider that has just suffered a cyberattack. You will likely be responding to an overwhelming volume of information requests from customers, partners, vendors, and so on. You may even have to deal with threats of legal and/or regulatory action, and determining what recourse, if any, is available to you.

So, cyber insurers, do yourself and your policy holders a favour and prepare for the inevitable. Because trust us: if you’ve put plans in place to be resilient—if you know how to respond well—you’ll be that much further ahead.

Meet the authors

Partner, National Insurance Sector Leader

Daniel Shum is a partner in Deloitte’s Financial Services practice and the National Insurance Sector Leader. Daniel has over 23 years’ experience working in the insurance industry in Canada and the U.... More

Global & Canada Cyber Risk Leader

Nick Galletto is the Global and Canada Cyber Risk Services leader. He has 30 years of experience in information technology, networking, systems management and information security management. He has a... More

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see www.deloitte.com/about to learn more about our global network of member firms.